Scoop’s Open Source Adserver

There has been a great deal of talk about the poor coding efforts of Wheedle.

NBR broke that story and found security holes in the site of another Trademe wannabe.

This post is about another woeful coding effort, this time from This has all the hallmarks of the infamous Labour Party screw up with their website but with a very real risk in this instance of someone placing malicious code within sites that are having ads served by Scoop.

To be extremely clear before I go into the story. I have not hacked or performed any hacking of Scoop or any other site. The aderver is completely open to the public and searchable via Google. 

I also shared my discovery with some media so as to protect myself from accusations of hacking. You simply do not need to perform any such illegal activity as Scoop has left the door wide open and the keys in the ignition.

I was searching on Google for some details about adservers for a project I am working on and stumbled upon something that is very concerning about the set up of Scoop’s adserver. For a start to you can google it. (Image of search).

Even basic protections like creating a disallow for the folder that contains the adserver in their robots.txt have not been perfomred. That is not security, rather it is obscurity that at the very least would have hidden the adserver from search results.

Once you find it however, then you have unfettered administrative rights to the entire adserver:

I was able to view their entire adserver setup:

Including settings for individual ads:

Access and edit live ads:

Control which sites they would appear on:

Create new campaigns:

Place new ads:

And ad code including iframe code that would allow me, or anyone else for that matter to place malicious code within sites that Scoop delivers ads to:

This line in their source calls code into an iframe:

<iframe id=”ad_50767E148AB1_SCSG” align=”center” src=”/xl?c=SCSG;iframeid=ad_50767E148AB1_SCSG” width=”988″height=”26″ frameborder=”0″ marginwidth=”0″ marginheight=”0″ vspace=”0″ hspace=”0″ scrolling=”no”>

Because the content of that iframe is editable, anyone could inject their own malicious code to distribute malware etc. You could happily play havoc without them being any the wiser.

To prove my point I have placed ads on Scoop and on The Standard…ads they really wouldn’t want on there, but I could do it nonetheless, without any hacking.

On Scoop:

On The Standard:

This is very shoddy work from Scoop Media. If I had my advertising with them  I would be distinctly unhappy that they had potentially exposed my site to the risks of malicious code. If I was an advertiser I’d be more unhappy that all my campaign details are there for all to see.

One wonders what other security holes exist on Scoop’s website.

Do you want:

  • ad-free access?
  • access to our very popular daily crossword?
  • access to Incite Politics magazine articles?

Silver subscriptions and above go in the draw to win a $500 prize to be drawn at the end of March.

Not yet one of our awesome subscribers? Click Here and join us.

As much at home writing editorials as being the subject of them, Cam has won awards, including the Canon Media Award for his work on the Len Brown/Bevan Chuang story.  And when he’s not creating the news, he tends to be in it, with protagonists using the courts, media and social media to deliver financial as well as death threats.

They say that news is something that someone, somewhere, wants kept quiet.   Cam Slater doesn’t do quiet, and as a result he is a polarising, controversial but highly effective journalist that takes no prisoners.

He is fearless in his pursuit of a story.

Love him or loathe him.  But you can’t ignore him.